I want to preface this by saying that i am very green when it comes to NAC. we had an implementation done for my organization by a 3rd party vendor with no training and I don't have a good working knowledge of the system at all.
my immediate problem is with the SSO of the NAC client. SSO works fine if a user engages our Anyconnect VPN connections by opening the already installed Anyconnect client and logging in as usual. the NAC agent pops up a few moments later and you're in.
but when a user uses the browser to log in to the SSL portal and then get the Anyconnect pushed down to them, once the connection is made the NAC agent pops up a Login screen instead of just going thru as it does for the other scenario.
i've had a look at my Mapping Rules for the cisco VPN and it appears we're mapping role based on IP address. Expressions like (0,8 contains 10.56.80) etc. and as stated above, these seem to work fine when you launch Anyconnect standalone but not when Anyconnect is launched by the web browser login prodcedure.
debug radius on the ASA to ensure that both login scenarios are sending hte same data to the NAC. they are NOT. the debug radius output from the working anyconnect scenario (stand alone launch) shows three extra lines that the debug from the non-working scenario (web launched) that are missing:
Radius: Type = 8 (0x08) Framed-IP-Address Radius: Length = 6 (0x06) Radius: Value (IP Address) = 10.56.81.11 (0x0A38510B)
since i'm using the framed-ip-address as part of they nac profile identification i'd say that this is WHY the nac isn't working right in the web launched scenario but i don't know why the ASA isn't sending this info to the NAC...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...